---
page_title: "cloudflare_certificate_pack Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare Certificate Pack resource that is used to
  provision managed TLS certificates.
---

# cloudflare_certificate_pack (Resource)

Provides a Cloudflare Certificate Pack resource that is used to
provision managed TLS certificates.

~> Certificate packs are not able to be updated in place and if
you require a zero downtime rotation, you need to use Terraform's meta-arguments
for [`lifecycle`](https://www.terraform.io/docs/configuration/resources.html#lifecycle-lifecycle-customizations) blocks.
`create_before_destroy` should be suffice for most scenarios (exceptions are
things like missing entitlements, high ranking domain). To completely
de-risk rotations, use you can create multiple resources using a 2-phase change
where you have both resources live at once and you remove the old one once
you've confirmed the certificate is available.

## Example Usage

```terraform
# Advanced certificate manager for DigiCert
resource "cloudflare_certificate_pack" "example" {
  zone_id               = "0da42c8d2132a9ddaf714f9e7c920711"
  type                  = "advanced"
  hosts                 = ["example.com", "sub.example.com"]
  validation_method     = "txt"
  validity_days         = 30
  certificate_authority = "digicert"
  cloudflare_branding   = false
}

# Advanced certificate manager for Let's Encrypt
resource "cloudflare_certificate_pack" "example" {
  zone_id                = "0da42c8d2132a9ddaf714f9e7c920711"
  type                   = "advanced"
  hosts                  = ["example.com", "*.example.com"]
  validation_method      = "http"
  validity_days          = 90
  certificate_authority  = "lets_encrypt"
  cloudflare_branding    = false
  wait_for_active_status = true
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `certificate_authority` (String) Which certificate authority to issue the certificate pack. Available values: `digicert`, `lets_encrypt`, `google`. **Modifying this attribute will force creation of a new resource.**
- `hosts` (Set of String) List of hostnames to provision the certificate pack for. The zone name must be included as a host. Note: If using Let's Encrypt, you cannot use individual subdomains and only a wildcard for subdomain is available. **Modifying this attribute will force creation of a new resource.**
- `type` (String) Certificate pack configuration type. Available values: `advanced`. **Modifying this attribute will force creation of a new resource.**
- `validation_method` (String) Which validation method to use in order to prove domain ownership. Available values: `txt`, `http`, `email`. **Modifying this attribute will force creation of a new resource.**
- `validity_days` (Number) How long the certificate is valid for. Note: If using Let's Encrypt, this value can only be 90 days. Available values: `14`, `30`, `90`, `365`. **Modifying this attribute will force creation of a new resource.**
- `zone_id` (String) The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**

### Optional

- `cloudflare_branding` (Boolean) Whether or not to include Cloudflare branding. This will add `sni.cloudflaressl.com` as the Common Name if set to `true`. **Modifying this attribute will force creation of a new resource.**
- `validation_records` (Block List) (see [below for nested schema](#nestedblock--validation_records))
- `wait_for_active_status` (Boolean) Whether or not to wait for a certificate pack to reach status `active` during creation. Defaults to `false`. **Modifying this attribute will force creation of a new resource.**

### Read-Only

- `id` (String) The ID of this resource.
- `validation_errors` (Block List) (see [below for nested schema](#nestedblock--validation_errors))

<a id="nestedblock--validation_records"></a>
### Nested Schema for `validation_records`

Optional:

- `cname_name` (String)
- `cname_target` (String)
- `emails` (List of String)
- `http_body` (String)
- `http_url` (String)
- `txt_name` (String)
- `txt_value` (String)


<a id="nestedblock--validation_errors"></a>
### Nested Schema for `validation_errors`

Read-Only:

- `message` (String)

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_certificate_pack.example <zone_id>/<certificate_pack_id>
```

While supported, importing isn't recommended and it is advised to replace the
certificate entirely instead.
